Need win_shell to run with elevated privileges
510 görüntüleme
İlk okunmamış mesaja atla
Arielle Adams
6 Mar 2020 15:10:246.03.2020
alıcı Ansible Project
Hi,
I'm unable to get win_shell to run with elevated "run as admin" privileges. I have the details posted below in this issue:
As stated, I tried to see if it could be a double hop issue by adding the become logic but this did not work. The script runs perfectly locally, just need to automate this using ansible.
If anyone has any idea as to why this isn't working properly I'd greatly appreciate it.
Jordan Borean
6 Mar 2020 17:03:326.03.2020
alıcı Ansible Project
As I mentioned in that issue the processes run from Ansible with the highest privileges available to the user you can verify this by running
- win_command: whoami.exe /allHere is what you should roughly see back
(ansible-py37) jborean:~/dev/ansible-tester$ ansible 2019 -m win_command -a 'whoami.exe /all'
[WARNING]: You are running the development version of Ansible. You should only run Ansible from "devel" if you are modifying the Ansible engine, or trying out features under development. This is a rapidly
changing source of code and can become unstable at any point.
2019 | CHANGED | rc=0 >>
USER INFORMATION
----------------
User Name SID
===================== =============================================
domain\vagrant-domain S-1-5-21-2959096244-3298113601-420842770-1104
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================= ================ ============================================ ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Performance Log Users Alias S-1-5-32-559 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
DOMAIN\Domain Admins Group S-1-5-21-2959096244-3298113601-420842770-512 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
DOMAIN\Denied RODC Password Replication Group Alias S-1-5-21-2959096244-3298113601-420842770-572 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeAssignPrimaryTokenPrivilege Replace a process level token Enabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
You can see in the output the user has the 'BUILTIN\Administrators' group that is Enabled and also has the 'Mandatory Label\High Mandatory Level' label assigned to it's groups. It also has a whole bunch of privileges assigned to the token which tells us the process is enabled. This should have a fairly similar output to just running that locally with a few slight changes. If you compare that to a limited process I run locally here is what I get
C:\Users\vagrant-domain>whoami.exe /all
USER INFORMATION
----------------
User Name SID
===================== =============================================
domain\vagrant-domain S-1-5-21-2959096244-3298113601-420842770-1104
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================= ================ ============================================ ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Performance Log Users Alias S-1-5-32-559 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Group used for deny only
NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
DOMAIN\Domain Admins Group S-1-5-21-2959096244-3298113601-420842770-512 Group used for deny only
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
DOMAIN\Denied RODC Password Replication Group Alias S-1-5-21-2959096244-3298113601-420842770-572 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.We can see on a limited process the 'BUILTIN\Administrators' group is only used for deny ACE checks and the label is 'Mandatory Label\Medium Mandatory Level'.
Now as to why the script isn't working that I am not sure on as your output does not indicate it had any errors occur. As I was saying above running through WinRM usually means the user runs as the highest privilege available to them. The only scenario I know off where that isn't the case is if the LocalAccountTokenFilterPolicy reg property is not set and WinRM has been explicitly set to grant non-admins access through WinRM. A quick win_command: whoami.exe /all check will help tell you if that is the case.
Become usually fixes issue where the script works fine when run locally but not through Ansible but that's typically only in cases where you are talking to external hosts like a file share. If the script isn't doing what you expect but isn't failing then you need to;
- Verify the script is actually running on the host you think it is
- The paths in the script are where you think they are
- Figure out why errors are being silenced, a file doesn't just fail to be written without it erroring somewhere
Also on an unrelated note to this issue you can combine the win_copy and win_shell task into just 1 using script like so;
- name: Modify WinCollect Config File
script: WinCollectConfig.ps1
That will find the 'WinCollectConfig.ps1' in the files directory, copy it to a temp location, execute it, then finally remove that temp file all in 1 step.
Thanks
Jordan
Tümünü yanıtla
Yazarı yanıtla
Yönlendir
0 yeni ileti